A Regulatory Approach to Tackling Digital Scams – Singapore’s Framework of Duties and Liability

I. Introduction

The commercial world is increasingly shifting into the digital realm, with digital payments, transactions and commerce being widely adopted. It should serve as no surprise though that criminals and scammers have followed the financial trail and are establishing digitally-enabled scams that continue to grow in number and sophistication. The Singapore Police Force has reported that from January to June 2023 alone, the number of scam and cybercrime cases reached 24,525, with the total amount reported to have been cheated sitting at an estimated S$334.5 million.

As the risk of such scams escalates, it has become clear that individuals and consumers alone cannot effectively combat digitally-enabled scams; other entities in the procedural chain also have a part to play. This includes players such as financial institutions (“FIs”), telecommunications operators (“Telcos”), internet access service providers, and other online communication and commercial platforms.

In Singapore, the approach towards tackling scams has been multi-layered and wide-ranging, emphasising the importance of the respective roles of consumers and industry stakeholders. In terms of recent developments, it may be seen that the Singapore Government has been working towards building up a regulatory framework more specifically directed towards digitally-enabled scams. The benefit of this regulatory approach is that it provides greater certainty and structure, more clearly setting out each party’s duties and responsibilities, as well as where the liability for scam-related losses will lie.

In this article, we take a bird’s eye view of the recent regulatory instruments and structures put in place to manage digitally-enabled scams. This includes the following:

• The Online Criminal Harms Act (“OCHA”);
• SMS Sender ID Regime; and
• The proposed Shared Responsibility Framework (“SRF”) and enhancements to the E-Payments User Protection Guidelines (“EUPG”).

II.  Online Criminal Harms Act

The OCHA was passed in the Singapore Parliament on 5 July 2023. It is aimed at online content or activity which is criminal in nature, or which is used to facilitate or abet crimes. The OCHA allows directions to be issued to online service providers, other entities, or individuals, when specified criminal offences take place. It also contains special provisions to counter scams and malicious cyber activities.

Law enforcement officers are empowered by the OCHA to issue the following types of proactive directions to take action once scams and malicious cyber activities are detected:

• Access blocking direction: The OCHA allows the issuance of a direction to a provider of an internet access service to take all reasonable steps to disable access by Singapore persons by means of the recipient's internet access service to any relevant material or relevant location, by a specified time.
• App removal direction: The OCHA also allows the issuance of a direction to a provider of an app distribution service to take all reasonable steps to stop distributing a relevant app to Singapore persons and stop enabling Singapore persons to download a relevant app, by means of the recipient's app distribution service, by a specified time.

The OCHA also empowers a Competent Authority to issue Codes of Practice and Implementation Directives relating to scams.

• Designated online services: The Competent Authority can designate online services that would be subject to Codes of Practice and Implementation Directives to be applied against offences in the Second Schedule of the OCHA. For now, the Second Schedule only specifies scam and malicious cyber activity offences.
• Codes of Practice: For the purposes of countering the offences specified in the Second Schedule, the Competent Authority is empowered to issue Codes of Practice to designated online services.
• Implementation Directives: The OCHA also empowers the Competent Authority to issue providers of designated online service with Implementation Directives, to put in place any system, process, or measure, if it is satisfied that this is necessary or expedient to address a relevant offence under the Second Schedule.

III.     SMS Sender ID Regime

One common method scammers employ is to masquerade their SMS sent to Singapore mobile users using the same alphanumeric sender identification ("Sender ID") used by genuine businesses and organisations, so as to deceive victims into divulging sensitive information. To combat this, in March 2022, the Infocomm Media Development Authority ("IMDA") established the Singapore SMS Sender ID Registry ("SSIR"), which is a central body for the registration of Sender IDs to be used in Singapore. SMS that attempts to spoof the registered Sender IDs will be blocked upfront, thus reducing the risk of scams.

From 1 January 2023, SSIR participation and registration was made mandatory for all organisations that choose to use Sender IDs to send SMS to Singapore mobile users. Only registered Sender IDs may be used to send SMS, and all non-registered Sender IDs will be blocked.

The full SSIR regime also sets out the following requirements for organisations and aggregators who wish to handle/send SMS with Sender IDs to Singapore mobile users:

• Organisations: Merchants and organisations that use SMS Sender IDs must register with the SSIR using their local unique entity number as issued by relevant government agencies, and provide the list of Sender IDs that they wish to protect. The organisations will then need to choose aggregators that are licensed by IMDA and registered with the SSIR to handle these SMS to be sent to Singapore mobile users.
• Aggregators: All aggregators that wish to handle SMS with Sender IDs sent to Singapore mobile users must obtain minimally a Services-Based Operator (Class) licence from IMDA. Licensed aggregators must comply with regulatory requirements such as performing Know Your Customer processes on the organisations for which they are sending SMS to ensure they are genuine.

IV.  Shared Responsibility Framework and E-Payments User Protection Guidelines

In order to further structure the responsibilities of FIs and Telcos, and to set out their respective liability for scam losses, the Monetary Authority of Singapore (“MAS”) and IMDA have on 25 October 2023 launched the following consultations:

• Shared Responsibility Framework: MAS and IMDA published a joint consultation paper proposing a SRF specifically dealing with phishing scams. The SRF sets out anti-scam duties for FIs and Telcos and proposes a "waterfall approach" for sharing losses.
• E-Payments User Protection Guidelines: MAS has also published a consultation paper on proposed enhancements to the EUPG which seek to address digitally-enabled scams.

The key features of the SRF are as follows:

• It applies to responsible FIs (banks and relevant payment service providers that have issued a protected account) and responsible Telcos (mobile network operators under the Telecommunications Act which provide cellular mobile telephone services).
• It covers phishing scams which have a both a digital nexus and a Singapore nexus.
• It proposes a "waterfall approach" for sharing losses, under which responsible FIs will bear the losses if they have breached their duties, followed by responsible Telcos if they have breached their duties, with consumers bearing the loss only if the FIs and Telcos have carried out their SRF duties.
• It sets out duties of responsible FIs, including imposition of a cooling off period upon activation of digital security token, notification for activation of tokens and high-risk activities, notification for outgoing transactions, and a reporting channel and kill-switch.
• It sets out the duties of responsible Telcos, which includes connecting only to authorised aggregators, blocking Sender ID SMS from unauthorised SMS networks, and implementing an anti-scam filter.

The EUPG deals with unauthorised and erroneous transactions (and not just phishing scams), setting out the responsibilities of FIs and consumers and their liability for losses. The proposed amendments seek to address phishing scams by:

• Aligning industry practice across responsible FIs by including in the EUPG the suite of anti-scam measures announced by MAS and the Association of Banks in Singapore on 19 January 2022 and 2 June 2022;
• Further enhancing the duties of responsible FIs to facilitate the prompt detection of scams by consumers and a fairer dispute resolution process; and
• Enhancing the duties of consumers to take necessary precautions against scams.

The above consultations close on 20 December 2023.

V.  Concluding Remarks

Singapore regulators have demonstrated a structured and multi-pronged approach towards dealing with digitally-enabled scams, establishing a regulatory framework that is informed and responsive. The framework directly addresses important questions regarding such scams, including the responsibilities and liability of the relevant parties.

As technology continues to advance, and online behaviour continues to evolve, it is likely that digitally-enabled scams will continue to evolve as well. It remains to be seen how the regulatory framework, which is still in a developmental stage, will continue to advance in the future.

AUTHOR INFORMATION:

Rajesh Sreenivasan is Partner and Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: rajesh@rajahtann.com

Steve Tan is Partner and Deputy Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: steve.tan@rajahtann.com

Benjamin Cheong is Partner and Deputy Head of Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: benjamin.cheong@rajahtann.com

Lionel Tan is a Partner in the Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: lionel.tan@rajahtann.com

Tanya Tang is a Partner and Chief Economic and Policy Advisor at Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: tanya.tang@rajahtann.com

Justin Lee is a Partner in the Technology, Media & Telecommunications Practice at Rajah & Tann Singapore LLP.
E: justin.lee@rajahtann.com